aff0077

Deeply nested <div> causes hang in parser (realistic example)
https://bugs.webkit.org/show_bug.cgi?id=309208
rdar://171763407

Reviewed by Wenson Hsieh and Ryan Reno.

This PR fixes an infinite loop in the HTML parser that occurs when parser hits the tree depth limit.

The HTML parser limits the DOM tree depth at 512. When this limit is reached, HTMLConstructionSite's
attachLater pops the top element from the open elements stack before pushing the new element, keeping
the depth at 512.

The problem is that this pop-and-push happens blindly — it can pop table-internal elements such as
table, tbody, tr, td, th, that the parser's insertion mode state machine depends on. This creates
an inconsistency between the insertion mode and the actual stack contents and causes an infinite loop.

With the test case specifically, td fails to get inserted into the stack of open elements, resulting
in the parser state to be InsertionMode::InCell without having td/th in the stack of open elements.
When `</table>` arrives in this state, HTMLTreeBuilder's closeTheCell fails silently and falls into
an infinite loop.

To fix this problem, this PR adds a new boolean state in HTMLConstructionSite, which indicates that
we've reached the maximum tree depth, and checks this state in HTMLTreeBuilder. When the flag is set,
we call resetInsertionModeAppropriately to correct the insertion mode to be consistent with the stack
of open elements.

Analysis done with Claude AI.

Test: fast/parser/html-parser-depth-limit-hang.html

* LayoutTests/fast/parser/html-parser-depth-limit-hang-expected.txt: Added.
* LayoutTests/fast/parser/html-parser-depth-limit-hang.html: Added.
* Source/WebCore/html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::attachLater): Set m_hasReachedMaxDOMTreeDepth to true when we've\
reached the maximum tree depth of 512.
* Source/WebCore/html/parser/HTMLConstructionSite.h:
(WebCore::HTMLConstructionSite::hasReachedMaxDOMTreeDepth const): Added.
* Source/WebCore/html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::processStartTagForInBody):
(WebCore::HTMLTreeBuilder::processStartTagForInTable):
(WebCore::HTMLTreeBuilder::processStartTag): Ditto.
(WebCore::HTMLTreeBuilder::processEndTagForInTableBody):
(WebCore::HTMLTreeBuilder::processEndTagForInRow):
(WebCore::HTMLTreeBuilder::processTrEndTagForInRow):
(WebCore::HTMLTreeBuilder::processTableEndTagForInTable):

Canonical link: https://commits.webkit.org/309454@main

c8d3c22

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	🛠 win	🛠 ios-apple
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	🧪 win-tests	🛠 mac-apple
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe		⏳ 🛠 vision-apple
	✅ 🧪 ios-wk2-wpt	✅ 🧪 api-mac-debug	✅ 🛠 gtk3-libwebrtc
	✅ 🧪 api-ios	✅ 🧪 mac-wk1	✅ 🛠 gtk
	✅ 🛠 ios-safer-cpp	✅ 🧪 mac-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 api-gtk
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🛠 playstation
✅ 🛠 🧪 unsafe-merge	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp
	✅ 🛠 tv-sim
	✅ 🛠 watch
	✅ 🛠 watch-sim